Card Vendor Suite — Privacy Policy
Effective date: May 26, 2026

1. Information We Collect

Account information: When you register, we collect your username and email address. Passwords are stored as one-way hashes and are never readable by us.

Billing information: Payments are processed by Paddle. We do not store your credit card number or full payment details. We receive and store a Paddle customer ID, subscription ID, plan type, and billing status.

eBay authorization: If you connect an eBay account, we store encrypted OAuth tokens that authorize the Service to read your eBay selling account data and create draft or live listings on your behalf. These tokens are encrypted at rest and used only to fulfill your explicit listing requests. They are never shared with third parties.

Browser extension data: If you use the browser extension, it stores your Card Vendor Suite authentication token, cached account/settings data, and local extension preferences in browser extension storage. The extension reads the content of eBay listing pages you visit — including listing photos, page structure, prices, and related listing data — to perform card identification and pricing analysis. When you ask it to analyze a listing, it sends selected eBay listing image URLs, card-detection rotation/crop coordinates, and related listing context to our API. When you request sold comps, the extension may fetch eBay sold-search result pages through your browser session so it can display recent comparable sales. This constitutes access to your web browsing activity on eBay pages for the purpose of delivering the features you request.

Scan and session data: We store images you upload for card scanning, session records, and identification results. This data is associated with your account and used to provide the Service.

Usage data: We may collect basic server logs (IP address, request timestamps, error events) for security monitoring and debugging purposes.

1. How We Use Your Information
2. To provide, maintain, and improve the Service
3. To process subscription payments via Paddle
4. To create eBay listings on your behalf when you request it
5. To analyze eBay listing photos when you use the browser extension
6. To send transactional emails (account notices, subscription confirmations)
7. To detect and prevent fraud or abuse
8. To respond to your support requests
9. Data Sharing

We do not sell your personal information. We share data only with:

• Paddle — our payment processor, to handle subscription billing
• eBay — when you explicitly instruct us to create or manage listings
• Your browser extension — to store your extension authentication token and local preferences on your device
• Service providers — infrastructure and monitoring tools used to operate the Service, under confidentiality agreements
• Legal requirements — if required by law, court order, or to protect our rights
• Data Retention

We retain your account and billing records for as long as your account is active and for a reasonable period thereafter for legal and business purposes. Scan images are cleaned up by the server on a configurable schedule (default: 7 days after processing). Session identification records may be retained longer for billing and audit purposes.

Server logs (including IP addresses and request timestamps) are retained for up to 90 days and then deleted as part of normal log rotation.

Account closure: When you close your account, your account profile, session data, and scan records are deleted. Billing records are retained as required by applicable law and Paddle's policies as our payment processor. Residual copies in backup systems may persist for a short period during normal backup rotation cycles before being overwritten.

You may request deletion of your account data by contacting us at support@cardvendorsuite.com.

1. Security

All data in transit is protected by HTTPS. eBay OAuth tokens are encrypted at rest using a server-side secret key. Other server data (session records, settings) is stored on disk and protected by server-side filesystem access controls. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security but take reasonable precautions to protect your data.

1. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data. To exercise these rights, contact us at support@cardvendorsuite.com. We will respond within 30 days.

1. Cookies

The Service uses session tokens (stored in browser local storage) to keep you logged in. We do not use tracking cookies or third-party advertising cookies.

1. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will promptly delete it.

1. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice. Continued use of the Service after changes take effect constitutes acceptance.

1. Contact

Privacy questions or requests can be directed to support@cardvendorsuite.com.